Upload
victor-hugo-zamora-f
View
3
Download
0
Embed Size (px)
Citation preview
SPNego Configuration Guide
Dimitar Dimkin2011 SAP AG
2011/SAP AG
Table of Contents
1. INTRODUCTION
2. MIGRATION
3. KDC CONFIGURATION
4. UME CONFIGURATION
5. BROWSER CONFIGURATION
6. ADDING KERBEROS REALMS
7. CONFIGURE THE USER MAPPING
8. CONFIGURE THE ENCRYPTION KEYS
9. ENABLE THE REALM
10. ADJUST THE AUTHENTICATION STACK
11. LEGACY MODE
2011/SAP AG
1. INTRODUCTION
The SAP NetWeaver Application Server (AS) Java supports Kerberos with Simple and Protected NegotiationMechanism (SPNego) enabling authentication with Web clients such as Web browsers. SPNego functions on the ASJava engine are available with the JAAS login module SPNegoLoginModule. In addition, the use of SPNegoauthentication is not tied to the specific operating system of the AS Java engine host.
SPNego does not provide transport layer security. We recommend that you use transport layer securitymechanisms, such as SSL, to increase security for the SPNego communication with the AS Java engine.
Integration
Kerberos authentication requires several systems in your landscape, which negotiate the outcome transparently tothe user:
Web client - The Web client requests a service or a resource from the AS Java engine and authenticates against theKerberos Key Distribution Center. For example, users use a Web browser for a Web client to access Webapplications running on the AS Java engine
Kerberos Key Distribution Center (KDC) - The SPNegoLoginModule uses the Single Sign-On (SSO)authentication mechanism integrated in Microsoft Windows 2000 and higher operating systems. A MicrosoftWindows Domain Controller (DC) acts as a KDC enabling Windows Integrated Authentication in a WindowsDomain. It authenticates the user and grants a ticket that is used for the communication between the AS Java engineand the user’s Web client
AS Java engine - The AS Java engine uses a proprietary API to acquire the negotiated security context from theKerberos ticket issuer, and uses the user management engine (UME) to retrieve the identity managementinformation for the authenticated user. The AS Java engine provides access to the services or resources requested bythe Web client
For information about the integration of non-Windows server components in the MicrosoftKerberos Infrastructure, see the documents available from the Microsoft Developer Network(MSDN) at http://msdn.microsoft.com
2011/SAP AG
2. MIGRATION
Note that this guide is relevant if your AS Java engine is on one of the following versions or above only (if theversion of the engine is lower, follow the configuration guide attached to SAP Note 994791):
SAP NetWeaver AS Java 2004 (6.40) SP27 SAP NetWeaver AS Java 2004S (7.00) SP23 SAP NetWeaver AS Java 2004S EhP1 (7.01) SP08 SAP NetWeaver AS Java 2004S EhP2 (7.02) SP06
Depending on the means by which the AS Java engine was installed, select one of the options below:
Fresh installation
In case you installed the AS Java engine from scratch, skip this chapter and go to Chapter 3.
Upgrade with no SPNego
In case the AS Java engine was upgraded from an older version and SPNego was never configured, skip thischapter and go to Chapter 3.
Upgrade with the original SPNego
In case the AS Java engine was upgraded from an older version and the original SPNego was configured, meaningyou never used the add-on solution from SAP Note 1457499, follow the instructions in this section.
In order to finish the migration you need to perform several steps:
1. Open the SPNego wizard at http://<host>:<port>/spnego and log on with a user with administrator privileges2. Hit the “Migrate” button that is displayed at the top of the page3. SPNego should now work
Upgrade with the SPNego add-on
In case the AS Java engine was upgraded from an older version and the SPNego add-on from SAP Note 1457499was configured, follow the instructions in this section.
Before the upgrade, you undeployed the add-on solution as described in the note. As a result the login module thatwas used, SPNEGOLoginModule (note the capital letters) is no longer available. Yet the configuration is still availableand can be used. In order to finish the migration you need to perform several steps:
1. Log on to the Visual Administrator and navigate to ServerXXX -> Services -> Security Provider Service1.1 If the AS Java server is of release 7.10 or newer then log on to the NetWeaver Administrator
application at http://<host>:<port>/nwa and navigate to Configuration -> Security -> Authenticationand Single Sign-On
2. Select the “ticket” template and remove the SPNEGOLoginModule (capital letters) if it is still there. Eitherway, add the SPNegoLoginModule at the appropriate position and with the appropriate flag
EvaluateTicketLoginModule SUFFICIENT
SPNegoLoginModule
CreateTicketLoginModule
BasicPasswordLoginModule
CreateTicketLoginModule
OPTIONAL
SUFFICIENT
REQUIRED
REQUIRED
A typical authentication stack that relies on SPNegofor initial authentication with a user name andpassword combination as a fallback might look likethis
2011/SAP AG
3. You can modify any policy configuration in the same manner, depending on the specific applications you wantto have configured to work with SPNego
4. SPNego should now work
2011/SAP AG
3. KDC CONFIGURATION
The Kerberos authentication process uses a Key Distribution Center (KDC) to authenticate a client and to issue theKerberos Client/Server Session Ticket. The configuration steps are specific to the KDC that you use. For moreinformation, see the documentation provided by your KDC vendor. However, in general you need to configure a serviceuser.
Procedure
1. Create a service user to identify the AS Java instance on the KDC. Choose a naming convention to help youidentify such users with their corresponding AS Java instances. For example, you can name the user “j2ee-<SID>-<host>” (where <SID> is the system ID of the instance and <host> is the host where it is running).The service user represents an AS Java instance running on a specific host and must meet the followingrequirements:
a. The password of the service user must never expire
b. Disable Data Encryption Standard (DES) support for this account by ensuring that the “Use DESencryption” check is not selected on the user account
2. Register a Service Principal Name (SPN) for the fully qualified host name and each of the DNS aliases thatyou use to access the AS Java engine
Example
The following example shows the configuration steps when the KDC is a Microsoft Windows 2000 DomainController (DC) that uses an Active Directory Server (ADS) for a user store.
Assumptions
The Windows domain name is IT.CUSTOMER.DEThe fully qualified domain name (FQDN) of the AS Java engine host is hades.customer.deThe AS Java engine has an additional alias su3x24.customer.deThe AS Java engine instance is D21
Configuration steps on the ADS
1. Create a service user named “j2ee-d21-hades”2. Select the “Password never expires” check on the user’s account3. Make sure the “Use DES encryption” check on the user’s account is not selected4. From the command line, execute the following commands in order to register Service Principal Names (SPNs)
for the AS Java engine host name and alias to the service user “j2ee-d21-hades”
setspn –a HTTP/hades.customer.de j2ee-d21-hadessetspn –a HTTP/su3x24.customer.de j2ee-d21-hades
Doing so registers both the host name and the alias as SPNs of the service user in the ADS
5. In order to check the configuration, execute the following command from the command line for every SPNthat you registered
ldifde –r serviceprincipalname=HTTP/hades.customer.de –f out.txtldifde –r serviceprincipalname=HTTP/su3x24.customer.de –f out2.txt
When using a reverse proxy or an application-level gateway to access the AS Java, add an SPN forthe physical host name and each DNS alias of the reverse proxy or application-level gateway. Forthis scenario, the Web client procures a Kerberos ticket from the KDC for the reverse proxy orapplication-level gateway host and not for the AS Java host
2011/SAP AG
Execute the command for every single SPN you registered to the service user and check the generated files.The output of each invocation must be only one entry – the service user created earlier, in the example – j2ee-d21-hades. In other words, all SPNs must be unique
2011/SAP AG
4. UME CONFIGURATION
Kerberos authentication enables you to choose one from the following mapping modes:
Mapping mode User resolution
Principal only The user is resolved only by the principal part of the Kerberos Principal Name (KPN).The principal token can be mapped to the logon ID, to the logon alias or to anotherUME attribute of the user
Principal@REALM The user is resolved by the full KPN as a single token. This token can be mapped tothe logon ID, to the logon alias or to another UME attribute of the user
Principal and REALM The user is resolved splitting the KPN into principal and realm tokens. In case theUME data source is ADS, the user mapping is automatic. Otherwise both tokens canbe mapped to UME attributes of the user
If you map the Kerberos token to a UME attribute, you must ensure that the attribute exists and contains data. TheUME has a set of standard attributes, such as the e-mail address. If you use such an attribute, there is no need to modifythe UME configuration. Otherwise you must ensure that the attribute mapping exists. In all cases, the attribute(s) usedfor resolving a user must be unique.
2011/SAP AG
5. BROWSER CONFIGURATION
Kerberos authentication is negotiated in the background between the client, the AS Java engine and the KerberosKDC. To authenticate a client request to the AS Java engine using Kerberos, you also have to adjust the clientconfiguration. Below are the steps you need to follow in order to configure the client browser
Procedure for Microsoft Internet Explorer
1. Enable Windows Integrated Authentication: “Tools” “Internet Options” “Advanced” choose “EnableWindows Integrated Authentication” (requires restart)
2. Enable automatic logon in the Intranet zone: “Tools” “Internet Options” “Security” “Local Intranet” “Custom Level” choose “Automatic logon only in Intranet Zone” from the “User Authentication”
section3. Add the AS Java engine’s host name to the list of local Intranet sites: “Tools” “Internet Options”
“Security” “Local Intranet” “Sites” “Advanced”4. Add the AS Java engine’s host name to the list of sites bypassed by the proxy (if available): “Tools”
“Internet Options” “Connections” “LAN Settings” “Advanced”
Procedure for Mozilla Firefox
1. Add the AS Java engine’s host name to the list of sites bypassed by the proxy (if available):2. Enable Integrated Authentication:
a. Type “about:config” in the address bar of the browserb. Filter the entries by name using the prefix “negotiate”c. Add the AS Java engine’s address (including the protocol) to the entries “network.negotiate-
auth.delegation-uris” and “network.negotiate-auth.trusted-uris”
Note: The detailed navigation steps related to browser configuration are examples only. Dependingon the version of your browser they may not be correct. In that case you must find out how thosesettings are managed and make sure they are set correctly.
2011/SAP AG
6. ADDING KERBEROS REALMS
In this step you add the realm that you want to the SPNego configuration
Procedure
1. Start the SPNego configuration application by accessing http://<host>:<port>/spnego2. Log on with a user with administrator privileges3. Press the “Add” push button4. Enter the name of the realm you are adding. This is a mandatory field5. Enter the description of the realm you are adding. This is an optional field and has no functional meaning.6. Press “OK”
If the release of the AS Java server is 7.20 or above you can skip chapters 6, 7, 8 and 9 in thisdocument and follow the instructions available on the following link:
http://help.sap.com/SAPhelp_nw73/helpdata/en/24/b55234223b4a7fbc20c819401fd359/content.htm?frameset=/en/4e/125e0a1e3d2287e10000000a15822b/frameset.htm
Note that you can still follow the instructions in this document as they are valid. The link aboveprovides a slightly easier way to perform the same configuration.
2011/SAP AG
7. CONFIGURE THE USER MAPPING
In this step you configure or modify the user mapping that will be used to resolve the user for the selected realm
Procedure
1. Start the SPNego configuration application by accessing http://<host>:<port>/spnego2. Log on with a user with administrator privileges3. Select the realm whose user mapping you wish to configure or modify4. Press the “Edit” push button5. Select the “User Mapping” tab below the realm6. Choose a user mapping mode from the “Mapping mode” drop-down menu. This is a mandatory field7. Choose a user mapping source from the “Source” drip-down menu. This is a mandatory field8. Press the “Save” push button
Example
We assume that the name of the user is “sapdemo” and it belongs to the “IT.CUSTOMER.DE” domain. In thatcase, the Kerberos token that arrives at the engine will contain the Kerberos Principal Name (KPN)“[email protected]”. It is also assumed that the first custom attribute is “email” and the second (ifnecessary) – “age”
Mode: Principal onlySource: logon id
The user in the user store must have their “logonid” attribute equal to“sapdemo”
Mode: Principal onlySource: logon alias
The user account in the user store must have their “logonalias”attribute equal to “sapdemo”
Mode: Principal onlySource: user attribute
The user in the user store must have their “email” attribute equal to“sapdemo”
Mode: Principal@REALMSource: logon id
The user in the user store must have their “logonid” attribute equal to“[email protected]”
Mode: Principal@REALMSource: logon alias
The user account in the user store must have their “logonalias”attribute equal to “[email protected]”
Mode: Principal@REALMSource: user attribute
The user in the user store must have their “email” attribute equal to“[email protected]”
Mode: Principal and REALMSource: ADS Data Source
The user account in the user store must have their “principal”attribute equal to “sapdemo” and their “realm” attribute equal to”IT.CUSTOMER.DE”. The “principal” and “realm” attributes arestandard and come with the AS Java engine installation
Mode: Principal and REALMSource: user attributes
The user in the user store must have their “email” attribute equal to“sapdemo” and their “age” attribute equal to ”IT.CUSTOMER.DE”
2011/SAP AG
8. CONFIGURE THE ENCRYPTION KEYS
In this step you configure or modify the encryption key(s) that will be used to decrypt the Kerberos token thatarrives at the AS Java engine
Prerequisites
Before you start to configure the encryption keys for the selected realm, you must generate a keytab file. You canuse the “ktab” tool provided by Java 1.6. It is executed like this:
ktab –a <principal_name>@<REALM> -k <keytab_file_name>
The parameters are as follows:
<principal_name> - the name of the service user<REALM> - the realm of the service user<keytab_file_name> - the name of the keytab file to be created
You will be asked to provide the user’s password when creating the keytab file. It is very important that you enterthe correct one – the command makes no checks and will always create a file, even if the password is incorrect.However, during runtime SPNego authentication will fail as the Kerberos token will not be decrypted.
Example
If we assume that the name of the service user is “j2ee-d21-hades”, their realm is “IT.CUSTOMER.DE” and wewant to create the keytab file “keytab”, then the command would have the following syntax:
ktab –a [email protected] –k keytab
Procedure
1. Start the SPNego configuration application by accessing http://<host>:<port>/spnego2. Log on with a user with administrator privileges3. Select the realm whose encryption keys you wish to configure or modify4. Press the “Edit” push button5. Select the “Keys” tab below the realm6. Press the “Add” push button7. Browse to the keytab file generated earlier8. Press the “Import” push button9. Select the keys you want to use. By default all of them are selected and it is recommended that you do not
change that. At least one key must be selected.10. Press “OK”11. Press the “Save” push button
The AS Java engine’s versions 6.40, 7.00, 7.01 and 7.02 support DES and RC4-HMAC encryptionalgorithms. If you want to use AES you must upgrade the engine to 7.20 or above.
2011/SAP AG
9. ENABLE THE REALM
In this step you enable the selected realm
Procedure
1. Start the SPNego configuration application by accessing http://<host>:<port>/spnego2. Log on with a user with administrator privileges3. Select the realm you want to enable4. Press the “Edit” push button5. Press the “Enable” push button6. Press the “Save” push button
You can enable a realm only if you have already configured its user mapping and encryption keys.Otherwise it must stay disabled until you complete its configuration.
A realm can be disabled in the same way it can be enabled. If a realm is disabled, it will not beused during authentication even if it is configured correctly and a request from a user that belongsto that realm arrives.
2011/SAP AG
10. ADJUST THE AUTHENTICATION STACK
In this step you add the SPNegoLoginModule to the respective authentication stack (s) in order to configure therequired applications to use Kerberos authentication
Procedure
1. Log on to the Visual Administrator and navigate to ServerXXX -> Services -> Security Provider Service1.1 If the AS Java server is of release 7.10 or newer then log on to the NetWeaver Administrator
application at http://<host>:<port>/nwa and navigate to Configuration -> Security -> Authenticationand Single Sign-On
2. Select the “ticket” template and remove the SPNEGOLoginModule (capital letters) if it is still there. Eitherway, add the SPNegoLoginModule at the appropriate position and with the appropriate flag
3. You can modify any policy configuration in the same manner, depending on the specific applications you wantto have configured to work with SPNego
4. SPNego should now work
EvaluateTicketLoginModule SUFFICIENT
SPNegoLoginModule
CreateTicketLoginModule
BasicPasswordLoginModule
CreateTicketLoginModule
OPTIONAL
SUFFICIENT
REQUIRED
REQUIRED
A typical authentication stack that relies on SPNegofor initial authentication with a user name andpassword combination as a fallback might look likethis
2011/SAP AG
11. LEGACY MODE
The SPNegoLoginModule login module can work in the so-called legacy mode. This means that it will use the oldimplementation even though the new one is also available. This mode is not recommended and should be used only invery specific and urgent situations when for some reason the new configurations cannot be performed.
The login module can work in legacy mode only if the following requirements are fulfilled:
At some point in time the old SPNego wizard was used to configure SPNegoThe old SPNego configuration was working without any problems
Procedure (AS Java release lower than or equal to 7.02)
1. Log on to the Visual Administrator and navigate to ServerXXX -> Services -> Security Provider Service2. Switch to Edit mode and select the “User Management” tab3. Hit the “Manage Security Stores” button at the bottom of the screen4. Make sure that the “UME User Store” is selected in the “User Stores” column and then select the
SPNegoLoginModule module from the list of login modules5. Hit the “View/Change Properties” button at the bottom of the screen6. Enter a new property with name “com.sap.security.spnego.legacy” and value “true”
Procedure (AS Java release equal to or greater than 7.10)
1. Log on to the NetWeaver Administrator application at http://<host>:<port>/nwa and navigate to Configuration-> Security -> Authentication and Single Sign-On
2. Select the “Login Modules” tab3. Select the SPNegoLoginModule module from the list of login modules4. Hit the “Edit” button on the “Login Module Options” tab5. Add a new property with name “com.sap.security.spnego.legacy” and value “true”6. Save the changes